View this presentation to learn more about the evolution of DDoS attacks and the impact that botnets -- which have grown in sophistication recently -- have had on the size, scope and scale of DDoS attacks in recent years.
Who is Arbor Networks?A Trusted
& Proven Vendor Securing the World‟s Largest and Most Demanding Networks Percentage of world‟s Tier 1 service providers who are Arbor customers 90% Number of countries with Arbor products deployed 105 Amount of global traffic monitored by the ATLAS security intelligence 25 Tbps initiative right now Arbor market position in Carrier, Enterprise and Mobile DDoS equipment #1 markets – more than 450 customers [Infonetics Research July 2012] Number of years Arbor has been delivering innovative security and 12 network visibility technologies & products 2011 GAAP revenues [USD] of Danaher – Arbor‟s parent company $16B providing deep financial backing2
What is a DDoS Attack?
During a Distributed Denial of Service (DDoS) attack, compromised hosts or bots coming from distributed sourcesoverwhelm the target with illegitimate traffic so that the servers can not respond to legitimate clients.
DDoS Attack Vectors Bots connect
to a C&C to create an Volumetric Attacks Broadband overlay network (or botnet) Provider Corporation – Usually botnets with traffic from B BB C&C spoofed IPs generating high traffic B volume Endpoints become Internet Bots Attack – UDP based floods from spoofed IP infected Backbone take advantage of connection less B BM B UDP protocol B B – Take out the infrastructure capacity – B B routers, switches, servers, links Enterprise Broadband Attacker Server Reflection Flood Attacks DNS Server responds to – Use a legitimate resource to amplify DNS RequestV request from an attack to a destination spoofed source. – Send a request to an IP that will yield Repeated many times a big response, spoof the source IP DNS Response is many times address to that of the actual victim larger than request. – DNS reflective amplification is a good DNS ResponseV attack example Victim
DDoS Attack Vectors State Exhausting
Attacks Client Server SYNC Listening… – Take advantage of stateful nature of TCP protocol Store data (connection – SYN, FIN, RST Floods SYNS, ACKC state, etc.) – TCP connection attacks Repeated many times System runs – Exhaust resources in servers, out of TCP load balancers or firewalls. listener sockets or out memory for stored stateHOIC Application Layer Attacks – Exploit limitations, scale and functionality of specific applications – Can be low-and-slowLOIC – HTTP GET & POST, SIP INVITE floods – Can be more sophisticated: ApacheKiller, Slowloris, SlowPOST, RUDY, refref, hash collision etc..
Modern DDoS Attacks Are Complex
The Broad Impact of DDoS Attacks IPS Load Balancer DATA CENTER Attack Traffic Good Traffic Today‟s DDoS attacks can cause (1) saturation upstream, (2)state exhaustion, or (3) application outages – many times oneattack can result in all three – and all with the same end result: critical services are no longer available!
How is DDoS Evolving?• In
order to understand the DDoS threat (and how to protect ourselves) we need to know what is going on out there.• Arbor World-Wide Infrastructure Security Survey, 2011 – 7th Annual Survey – Concerns, observation and experiences of the security community – 114 respondents, broad spread of customers from around the world• Arbor ATLAS Internet Trends – 250+ Arbor customers – Hourly export of anonymized DDoS and traffic statistics
Key Findings in the 2011
SurveyLarge Attacks are Now Commonplace Largest Attack in Gbps Highest BPS DDoS in 2011 120 100 100 17% 80 43% 60 Dont Know 60 49 27% > 10Gbps 40 40 24 1 - 10 Gbps 17 13% 20 10 < 1Gbps 0.14 1.2 2.5 0 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 • Aggregate attack sizes have leveled off but remain at levels capable of overwhelming most Internet operators • 13% of respondents report attacks above 10 Gbps • 40% of respondents report attacks above 1 Gbps • Largest pps attack reported is 35 Mpps keeping pace with 2010
Key Findings in the 2011
SurveyApplication Layer and Multi-Vector Attacks Services Targeted by Application Have You Experienced Multi-vector Layer DDoS Attacks Application / Volumetric DDoS Attacks Other 7% IRC 11% 27% 32% SIP/VOIP 19% HTTPS 24% Dont Know SMTP 25% No DNS 67% Yes 41% HTTP 87% 0% 20% 40% 60% 80% 100%• A higher percentage of attacks reported on HTTP and IRC relative to 2010 – HTTP (87% vs. 84%) and on IRC (11% vs. 0%) relative to 2010• Lower percent of attacks on DNS, SMTP, HTTPS and VOIP – DNS (67% vs. 76%), SMTP (25% vs. 40%), HTTPS (24% vs. 35%) and VOIP (19% vs. 38%)• SSL based attacks reported included TCP and UDP floods against port 443 and Slowloris
Key Findings in the 2011
SurveyAttack Frequencies Increasing Number of DDoS Attacks per Month 50% 47% 45% 40% 35% 30% 25% 20% 15% 15% 9% 10% 11% 10% 7% 5% 1% 0% 0 1 - 10 10 - 20 20 - 50 50 - 100 100 - 500 > 500 • 91% of respondents see at least 1 DDoS attack per month up from 76% in 2010 • 44% of respondents see 10 or more attacks per month up from 35% in 2010
Bots: Putting the „(D)‟ in
(D)DoS• “Got bot?” • A bot is a servant process on a compromised system (unbeknownst by owner) usually installed by a Trojan or Worm. • Communicates with a handler or controller via public IRC servers, social media, or other compromised systems. • A botmaster or botherder commands bots to perform any of an number of different functions. • System of bots and controller(s) is referred to as a botnet network.
Botnets: “Black Market Clouds”• Each
botnet represents a „black market‟ cloud• Can be built with „off the shelf‟ malware• Becoming more profitable than SPAM• Popular for: – Competitive advantage – Extortion – Hacktivism – Political – Ego-driven – Distraction from other cyber-crimes
Botnets: Identity Theft & FraudGlobally,
data breaches are expected to account for$130.1 billion in corporate losses this year, according “full creds”to the Ponemon Institute. Historically, about 30% ofthat total cost has been direct losses attributable tothe breaches, which would mean about $39 billionwill stolen in 2011.
Botnets: Getting More Sophisticated Key
Loggers – Gotta get those “full creds” Drop Sites Click Fraud Bot Trading & Marketing – .net - .$.05 – .gov - $1.00 – nasa.gov - $.05 “Better Marketing by the Botherders” – Excellent ping & uptime – Rotating IP addresses – Different ISPs – Intuitive User Interface – SLAs - 100 percent uptime guarantee!
Anatomy of a DDoS Attack
from a Botnet Bots connect to a C&C to create an overlay network Enterprises (botnet) DDoS Target Provider C&C Systems Become Internet Infected Backbone Bots attack Bot Master Hosting Providers Botnet master Controller Issues attack Connects Broadband Users Command
Dirt Jumper Botnets Used for
DDoS• 500+ Dirt Jumper family bots analyzed by ASERT – Each Dirt Jumper botnet can last months and attack hundreds (or more) of victims during their lifecycle• Features UDP, TCP, HTTP attacks, “anti-ddos” attacks – Actively developed, widely used commercially – Includes: • Dirt Jumper version 3 • Dirt Jumper version 5 • Pandora • DiBotnet • Khan
Commercial DDoS Product – Dirt
Jumper 3• Version 3 is quite popular• Anti-DDoS attacks mentioned – designed to bypass anti-DDoS defenses – A more recent innovation from the attackers
Dirt Jumper Botnet Attacks August
2012• Arbor‟s Bladerunner project samples the DDoS bot population• Bladerunner observed approx. 2000 unique DDoS attacks in August 2012 from 68 botnets• Of these, we analyzed 25 Dirt Jumper botnets to observe 301 unique attacks to a variety of targets – Some attacks lasted days• Many website targets with 100+ virtual hosts• Many attacks on HTTP but we also saw attacks on HTTPS, SMTP, MySQL
Commercial DDoS Product - Pandora•
View of control panel – used by the botmaster to launch DDoS attacks• Originally sold for $800, cracked version for $100, also have been leaked (free)• Attacks look just like Dirt Jumper 5 and Khan bots• Appeared early 2012
Commercial DDoS Product – Di
BoTNet• Re-uses Dirt Jumper code, adds “bot killer” feature to eliminate the competition from infected computers• Early 2012
Commercial DDoS Product – Armageddon•
Very popular bot, active competitor to other Russian bots• Involved in politically motivated attacks in Russia• In addition to HTTP, has attacked remote desktop, FTP, SSH
Arbor‟s Key Technologies Visibility Protection
Flow Application Global Availability Botnets & CloudIntelligence Intelligence Intelligence Engine Malware Signaling Arbor‟s Arbor‟s Arbor‟s Arbor‟s Arbor‟s core Arbor‟s Security products are products proprietary products offer packet analysis & Emergency the premier leverage the protocol deep insight & blocking Response analyzers of real- enables into engine can Team (ASERT) full network time, Internet- signaling from applications stop and is conducts flow data wide visibility the enterprise and services as also immune to unique providing of the ATLAS edge to the more services all threats research intoholistic traffic & initiative to cloud for move to against botnets and security detect and stop complete standard ports. availability. malware. visibility. active threats. protection. 41
Peakflow Products Visibility Protection Peakflow
SP Peakflow TMSModels: CP-5500, PI-5500, BI- Models: TMS-1200, TMS-2500, TMS-5500, FS-5500 3000 Series, TMS-4000 SeriesThe Peakflow Service Provider (SP) The Peakflow Threat Managementsolution collects and analyzes System (TMS) is built for high-Flow, BGP, and SNMP data; conducts performance, carrier-class networksnetwork anomaly detection for and used for surgical mitigation ofsecurity visibility; provides user DDoS attack traffic with no additionalinterface for managed services; and latency for legitimate traffic; andmassive scale to meet the needs of serves as a protection platform for in-the world‟s largest service providers cloud managed security services.and cloud operators. 42
Pravail Products Visibility Protection Pravail
NSI Pravail APSModels: X-CONT-1, X-COL- Models: APS-2104, APS-2105, APS-8K32/16K, X-COL-AIC, X-VIRTUAL 2107, APS-2108The Pravail Network Security The Pravail Availability ProtectionIntelligence (NSI) collects and System (APS) provides out-of-boxanalyzes flow and raw packet data; protection for attacks while beingdetected botted users and endpoints; immune to state-exhausting attacks;and provides application-level and blocks complex application-layerpervasive security intelligence DDoS; supports a dynamic threadacross the enterprise network. from ATLAS to stop botnets; supports inline deployment models; and ability to send cloud signals upstream. 43
The ATLAS Initiative The ATLAS
initiative is the world‟s most comprehensive Internet monitoring & security intelligence systemServices: ATLAS Intelligence Feed (AIF), Active Threat Feed (ATF), FingerprintSharing, Global Threat Analysis PortalATLAS intelligence is seamlesslyintegrated into Arbor products and servicesincluding real-time services, global threatintelligence and insight into key Internettrends.ASERT, Arbor‟s Security Engineering andResearch Team, also leverages ATLAS toprovide expert commentary on securitytrends and to address significant Internet Active Threat Feed (ATF)research questions. 44
The Cloud Signaling CoalitionUnite the
enterprise& service providers Subscriber Network Subscriber Network via Arbor‟s Cloud Internet Service Provider 1. Service OperatingSignaling Coalition Arbor Peakflow SP / TMS-based Normally DDoS Service 2. Attack Begins & Blocked by Pravail 3. Attack Grows Exceeding Bandwidth 4. Cloud Signal Arbor Pravail APS Launched Data Center Network 5. Customer Fully Firewall / IPS / WAF Protected! Cloud Signaling Status Public Facing Servers 46
Arbor‟s Threat EcosystemThe Arbor ecosystem
between service providers & enterprise data centers offers unique insight into emerging and active threats Service Providers Enterprise Data Centers Enterprise data center services are now fully protected!47